This week, we’ll discuss a high-severity vulnerability in GNU gzip’s zgrep utility, new functionality on GitHub that expands visibility into supply chain bugs, and a significant update to TruffleHog, a tool that scans for secrets inside Git repositories.
Arbitrary File Write Vulnerability in gzip’s zgrep Utility
CVE-2022-1271 is an arbitrary file write vulnerability found in GNU gzip’s zgrep utility. When zgrep is applied to a file name chosen by the adversary, it can overwrite an attacker’s content to an arbitrary file selected by the attacker.
This same vulnerability also impacts xzgrep from Tukaani XZ Utils for versions up to and including 5.2.5, 5.3.1alpha, and 5.3.2alpha. The bug was said to be inherited from gzip’s zgrep.
This vulnerability was discovered by “cleemy desu wayo” working with Trend Micro’s Zero Day Initiative.
Root Cause – This flaw occurs due to insufficient validation when processing filenames with two or more newlines. The attacker could craft a multiline filename that contains both the target filename and their desired content for the file. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.
The bug was introduced in gzip-1.3.10 and is relatively hard to exploit. All previous versions are said to be affected and the fix can be found in gzip version 1.12.
GitHub Introduces Capability for Detecting Supply Chain Bugs
GitHub recently introduced the Dependency Review Action, which scans your pull requests for dependency changes and will raise an error if any new dependencies have known supply chain vulnerabilities. The action is supported by an API endpoint that diffs the dependencies between any two revisions. It works by scanning pull requests for dependency changes against the GitHub Advisory Database to see if new dependencies introduce vulnerabilities.
The action can be seen as an additional measure to the existing Dependabot tool, as it alerts on vulnerabilities that are being introduced into your environment rather than reporting on vulnerabilities that might already exist.
The Dependency Review action is currently in public beta and is available for all public repositories and for private repositories belonging to organizations using GitHub Enterprise Cloud with a license for GitHub Advanced Security.
Truffle Security Introduces TruffleHog v3
TruffleHog is a tool developed by Truffle Security and is used to detect API keys, passwords, and other secrets that were committed to Git. On April 4, Dylan Ayrey from Truffle Security introduced TruffleHog v3. The new version was completely rewritten in Go and introduces many new powerful features. The most notable changes include more than 600 credential detectors that support active verification against their respective APIs and native support for scanning GitHub, GitLab, filesystems, and S3.
Diving a little deeper, it mentions improvements to the scanner’s runtime speed. Notably, all secret detectors are now preflighted with string comparisons with the addition of overall improvements to git scanning inspired by GitLeaks.
The repository for the project can be found at https://github.com/trufflesecurity/trufflehog.